CVE-2025-12536

Name of the Vulnerable Software and Affected Versions SureForms plugin for WordPress versions prior to 1.14.0

Description The SureForms plugin for WordPress is susceptible to sensitive information disclosure in versions up to and including 1.13.1. This is a result of the auth callback parameter being set to return true during the registration of the ' srfm email notification' post meta, which permits unauthenticated access to the metadata. Successful exploitation allows unauthenticated attackers to extract sensitive data, including email notification configurations. These configurations often contain vendor-provided CRM/help desk dropbox addresses, CC/BCC recipients, and notification templates that could be exploited to inject malicious data into downstream systems.

Recommendations Update the SureForms plugin to version 1.14.0 or later.